public Tuple <string, byte[]> Post(byte[] body) { Debug.WriteLine($"Length of input is {body.Length} bytes"); var parts = TLVParser.Parse(body); var state = parts.GetTypeAsInt(Constants.State); Debug.WriteLine($"Pair Setup: Status [{state}]"); if (state == 1) { Console.WriteLine("Pair Setup Step 1/6"); Console.WriteLine("SRP Start Response"); Random randomNumber = new Random(); int code = randomNumber.Next(100, 999); CODE = $"123-45-{code}"; Console.WriteLine($"********************"); Console.WriteLine($"* PIN CODE: {CODE} *"); Console.WriteLine($"********************"); Random rnd = new Random(); salt = new Byte[16]; rnd.NextBytes(salt); // **** BOUNCY CASTLE CODE - NOT USED **** //https://www.programcreek.com/java-api-examples/index.php?api=org.bouncycastle.crypto.agreement.srp.SRP6Server var I = "Pair-Setup";// Program.ID; var P = CODE; var hashAlgorithm = SHA512.Create(); var groupParameter = SRP.SRP.Group_3072; sessionServer = new SRPServer(groupParameter, hashAlgorithm); server_k = sessionServer.Compute_k(); server_x = sessionServer.Compute_x(salt, I, P); server_v = sessionServer.Compute_v(server_x.ToBigInteger()); Console.WriteLine($"Verifier [Length={server_v.ToBytes().Length}]"); Console.WriteLine(server_v.ToString("X")); server_b = new Byte[32]; rnd.NextBytes(server_b); server_B = sessionServer.Compute_B(server_v, server_k.ToBigInteger(), server_b.ToBigInteger()); Console.WriteLine($"B [Length={server_B.ToBytes().Length}]"); Console.WriteLine(server_B.ToString("X")); var publicKey = server_B.ToBytes(); TLV responseTLV = new TLV(); responseTLV.AddType(Constants.State, 2); responseTLV.AddType(Constants.PublicKey, publicKey); responseTLV.AddType(Constants.Salt, salt); byte[] output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); } else if (state == 3) { Console.WriteLine("Pair Setup Step 3/6"); Console.WriteLine("SRP Verify Request"); var iOSPublicKey = parts.GetType(Constants.PublicKey); // A var iOSProof = parts.GetType(Constants.Proof); // M1 Console.WriteLine("A"); Console.WriteLine(ByteArrayToString(iOSPublicKey)); Console.WriteLine("M1 (Client)"); Console.WriteLine(ByteArrayToString(iOSProof)); // Compute the scrambler. // var u = sessionServer.Compute_u(iOSPublicKey, server_B.ToBytes()); Console.WriteLine("U (Scramber)"); Console.WriteLine(ByteArrayToString(u)); // Compute the premaster secret // var server_S = sessionServer.Compute_S(iOSPublicKey.ToBigInteger(), server_v, u.ToBigInteger(), server_b.ToBigInteger()); Console.WriteLine("S"); Console.WriteLine(server_S.ToString("X")); // Compute the session key // server_K = sessionServer.Compute_K(server_S.ToBytes()); Console.WriteLine("K (Session Key)"); Console.WriteLine(ByteArrayToString(server_K)); // Compute the client's proof // var client_M1 = sessionServer.Compute_M1("Pair-Setup", salt, iOSPublicKey, server_B.ToBytes(), server_K); Console.WriteLine("M1 (Server)"); Console.WriteLine(ByteArrayToString(client_M1)); // Check the proof matches what was sent to us // bool isValid = iOSProof.CheckEquals(client_M1); TLV responseTLV = new TLV(); responseTLV.AddType(Constants.State, 4); if (isValid) { Console.WriteLine("Verification was successful. Generating Server Proof (M2)"); var server_M2 = sessionServer.Compute_M2(iOSPublicKey, client_M1, server_K); File.WriteAllBytes("SRPProof", server_M2); responseTLV.AddType(Constants.Proof, server_M2); } else { Console.WriteLine("Verification failed as iOS provided code was incorrect"); responseTLV.AddType(Constants.Error, ErrorCodes.Authentication); } byte[] output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); } else if (state == 5) { Debug.WriteLine("Pair Setup Step 5/6"); Debug.WriteLine("Exchange Response"); var iOSEncryptedData = parts.GetType(Constants.EncryptedData); // A int messageDataLength = iOSEncryptedData.Length - 16; byte[] messageData = new byte[messageDataLength]; Buffer.BlockCopy(iOSEncryptedData, 0, messageData, 0, messageDataLength); byte[] authTag = new byte[16]; Buffer.BlockCopy(iOSEncryptedData, messageDataLength, authTag, 0, 16); HKDF g = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Info")); var outputKey = g.GetBytes(32); var hkdfEncKey = outputKey; //var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0"); var testKey = StringToByteArray("bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af 26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa"); var testNonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08"); var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + "a6 ad 5c b4 02 2b 02 70 9b"); //var tag1 = Aead.Mac(testKey, testNonce, testCipherText, Aead.Algorithm.Chacha20_Poly1305); //Console.WriteLine("Tag: " + ByteArrayToString(tag1)); //Console.WriteLine(""); //byte[] pt, ct, key, nonce, tag, aad; //key = Cnv.FromHex("1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0"); //ct = Cnv.FromHex("64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b"); //nonce = Cnv.FromHex("000000000102030405060708"); //aad = Cnv.FromHex("f33388860000000000004e91"); //tag = Cnv.FromHex("eead9d67890cbb22392336fea1851f39"); //pt = Aead.Decrypt(ct, key, nonce, aad, tag, Aead.Algorithm.Chacha20_Poly1305); //Console.WriteLine("P:" + Cnv.ToHex(pt)); //// This is UTF-8-encoded text, so display it //string Str = Encoding.UTF8.GetString(pt); //Console.WriteLine(Str); //Console.WriteLine(General.ErrorCode()); //Console.WriteLine(""); /* * var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0"); * var nonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08"); * * var testChacha = new ChaCha20Poly1305(); * var testParameters = new ParametersWithIV(new KeyParameter(testKey), nonce); * testChacha.Init(false, testParameters); * * KeyParameter testMacKey = InitRecordMAC(testChacha); * * Console.WriteLine("MAC From Test Vectors"); * Console.WriteLine(ByteArrayToString(testMacKey.GetKey())); * * var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + * "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + * "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + * "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + * "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + * "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + * "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + * "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + * "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + * "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + * "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + * "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + * "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + * "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + * "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + * "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + * "a6 ad 5c b4 02 2b 02 70 9b"); * * * var testPoly = new ChaCha20Poly1305.Poly1305(); * * testPoly.Init(new KeyParameter(testKey)); * * var aad = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91"); * * var polyInput = new byte[0]; * * var aadPadding = new byte[0]; * var cipherTextPadding = new byte[0]; * * if (aad.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (aad.Length % 16); * aadPadding = new byte[bytesRequiredForRounding]; * } * * if (testCipherText.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (testCipherText.Length % 16); * cipherTextPadding = new byte[bytesRequiredForRounding]; * } * * //polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray(); * polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray(); * * var expectedPolyInput = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00" + * "64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + * "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + * "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + * "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + * "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + * "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + * "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + * "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + * "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + * "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + * "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + * "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + * "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + * "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + * "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + * "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + * "a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00" + * "0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00"); * * var polyMatchesExpectedValue = polyInput.SequenceEqual(expectedPolyInput); * * Debug.WriteLine("Test Poly AEAD Input"); * Debug.WriteLine(ByteArrayToString(polyInput)); * * testPoly.BlockUpdate(polyInput, 0, polyInput.Length); * * byte[] testCalculatedTag = new byte[testPoly.GetMacSize()]; * testPoly.DoFinal(testCalculatedTag, 0); * * Debug.WriteLine("Test Tag"); * Debug.WriteLine(ByteArrayToString(testCalculatedTag)); * * Debug.Write("H"); */ // ***************************************** // NaCl test code // /* * var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0"); * var testNonce = StringToByteArray("01 02 03 04 05 06 07 08"); * * var testChacha = new ChaChaEngine(20); * var testParameters = new ParametersWithIV(new KeyParameter(testKey), testNonce); * testChacha.Init(false, testParameters); * * KeyParameter testMacKey = InitRecordMAC(testChacha); * * var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + * "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + * "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + * "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + * "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + * "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + * "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + * "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + * "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + * "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + * "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + * "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + * "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + * "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + * "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + * "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + * "a6 ad 5c b4 02 2b 02 70 9b"); * * var testReceivedTag = StringToByteArray("ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38"); * var testChaChaKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0"); * bool verified = OneTimeAuth.Poly1305.Verify(testReceivedTag, testCipherText, testChaChaKey); * var testLongNonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08"); * var decryptedTest = XSalsa20Poly1305.TryDecrypt(testCipherText, testKey, testLongNonce); * * Console.WriteLine(verified); */ // COSE //************************************** // TEST CODE FOR BouncyCastle POLY1305 /* * var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0"); * var nonce = StringToByteArray("01 02 03 04 05 06 07 08"); * * var testChacha = new ChaChaEngine(20); * var testParameters = new ParametersWithIV(new KeyParameter(testKey), nonce); * testChacha.Init(false, testParameters); * * KeyParameter testMacKey = InitRecordMAC(testChacha); * * Console.WriteLine("MAC From Test Vectors"); * Console.WriteLine(ByteArrayToString(testMacKey.GetKey())); * * var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + * "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + * "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + * "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + * "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + * "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + * "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + * "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + * "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + * "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + * "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + * "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + * "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + * "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + * "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + * "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + * "a6 ad 5c b4 02 2b 02 70 9b"); * * * var testPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305(); * * testPoly.Init(testMacKey); * * var aad = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91"); * * var polyInput = new byte[0]; * * var aadPadding = new byte[0]; * var cipherTextPadding = new byte[0]; * * if (aad.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (aad.Length % 16); * aadPadding = new byte[bytesRequiredForRounding]; * } * * if (testCipherText.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (testCipherText.Length % 16); * cipherTextPadding = new byte[bytesRequiredForRounding]; * } * * polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray(); * * var expectedPolyInput = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00" + * "64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" + * "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" + * "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" + * "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" + * "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" + * "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" + * "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" + * "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" + * "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" + * "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" + * "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" + * "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" + * "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" + * "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" + * "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" + * "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" + * "a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00" + * "0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00"); * * var polyMatchesExpectedValue = polyInput.SequenceEqual(expectedPolyInput); * * Debug.WriteLine("Test Poly AEAD Input"); * Debug.WriteLine(ByteArrayToString(polyInput)); * * //byte[] testCalculatedTag = new byte[testPoly.GetMacSize()]; * * testPoly.BlockUpdate(polyInput, 0, polyInput.Length); * * * byte[] testCalculatedTag = new byte[100]; * * for (int i = 0; i < 84; i++) * { * testPoly.DoFinal(testCalculatedTag, i); * * Debug.WriteLine("Test Tag"); * Debug.WriteLine(ByteArrayToString(testCalculatedTag)); * } * * * * * Debug.Write("H"); * * testPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305(); * * testPoly.Init(testMacKey); * * // The AAD * // * testPoly.BlockUpdate(aad, 0, aad.Length); * * // The AAD padding * // * if (aad.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (aad.Length % 16); * testPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding); * } * * // The ciphertext. * // * testPoly.BlockUpdate(testCipherText, 0, testCipherText.Length); * * // The ciphertext padding length. * // * if (testCipherText.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (testCipherText.Length % 16); * testPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding); * } * * // The length of the AAD * // * testPoly.BlockUpdate(BitConverter.GetBytes(aad.LongLength), 0, 8); * * // The length of the ciphertext * // * testPoly.BlockUpdate(BitConverter.GetBytes(testCipherText.LongLength), 0, 8); * * // Compute the final key * // * byte[] alternativeTestCalculatedTag = new byte[testPoly.GetMacSize()]; * testPoly.DoFinal(alternativeTestCalculatedTag, 0); * * Debug.WriteLine("Alternative Test Tag"); * Debug.WriteLine(ByteArrayToString(alternativeTestCalculatedTag)); * * // Decrypt * // * var testOutput = new byte[testCipherText.Length]; * testChacha.ProcessBytes(testCipherText, 0, testCipherText.Length, testOutput, 0); * * Debug.WriteLine("Decrypted Test CipherText"); * Debug.WriteLine(ByteArrayToString(testOutput)); * */ // END OF BouncyCastle Poly1305 Test Code //******************************************** //var chacha = new ChaChaEngine(20); //var parameters = new ParametersWithIV(new KeyParameter(outputKey), Encoding.UTF8.GetBytes("PS-Msg05")); //chacha.Init(false, parameters); //KeyParameter macKey = InitRecordMAC(chacha); //var iOSPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305(); #region OLD POLY /* * iOSPoly.Init(macKey); * * // The AAD padding length. * // * //iOSPoly.BlockUpdate(new byte[4], 0, 4); * * // The ciphertext. * // * iOSPoly.BlockUpdate(messageData, 0, messageData.Length); * * // The ciphertext padding length. * // * if (messageData.Length % 16 != 0) * { * int bytesRequiredForRounding = 16 - (messageData.Length % 16); * iOSPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding); * } * * // The length of the AAD * // * iOSPoly.BlockUpdate(new byte[8], 0, 8); * * // The length of the ciphertext * // * iOSPoly.BlockUpdate(BitConverter.GetBytes(messageData.LongLength), 0, 8); * * // Compute the final key * // * byte[] calculatedMAC = new byte[iOSPoly.GetMacSize()]; * iOSPoly.DoFinal(calculatedMAC, 0); * * // Verify this calculatedMac matches the iOS authTag. * // This is failing, which implies the way I'm generating the MAC is incorrect. * // * //bool isAuthTagValid = CryptoBytes.ConstantTimeEquals(authTag, calculatedMAC); * //if (!isAuthTagValid) * //{ * // return new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest); * //} */ #endregion //byte[] output = new byte[messageData.Length]; //chacha.ProcessBytes(messageData, 0, messageData.Length, output, 0); byte[] output, ct, key, nonce, tag, aad; key = outputKey; ct = messageData; nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PS-Msg05")).ToArray(); aad = new byte[0]; tag = authTag; output = Aead.Decrypt(ct, key, nonce, aad, tag, Aead.Algorithm.Chacha20_Poly1305); Console.WriteLine("P:" + Cnv.ToHex(output)); // This is UTF-8-encoded text, so display it string Str = Encoding.UTF8.GetString(output); Console.WriteLine(Str); Console.WriteLine(General.ErrorCode()); Console.WriteLine(""); Debug.WriteLine("Decrypted TLV"); Debug.WriteLine(ByteArrayToString(output)); var subData = TLVParser.Parse(output); byte[] username = subData.GetType(Constants.Identifier); byte[] ltpk = subData.GetType(Constants.PublicKey); byte[] proof = subData.GetType(Constants.Signature); Console.WriteLine("iOSDeviceInfo"); Console.WriteLine($"Username [{username.Length}]: {Encoding.UTF8.GetString(username)}"); Console.WriteLine($"LTPK [{ltpk.Length}]: {ByteArrayToString(ltpk)}"); Console.WriteLine($"Proof [{proof.Length}]: {ByteArrayToString(proof)}"); // Verify the proof matches the INFO // HKDF hkdf = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Info")); byte[] okm = hkdf.GetBytes(32); byte[] completeData = okm.Concat(username).Concat(ltpk).ToArray(); if (!Ed25519.Verify(proof, completeData, ltpk)) { Console.WriteLine("Verification failed as iOS provided code was incorrect"); var errorTLV = new TLV(); errorTLV.AddType(Constants.Error, ErrorCodes.Authentication); byte[] errorOutput = TLVParser.Serialise(errorTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", errorOutput)); //var errorContent = new ByteArrayContent(output); //errorContent.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8"); //return new HttpResponseMessage(System.Net.HttpStatusCode.OK) //{ // Content = errorContent //}; } Console.WriteLine("Step 5/6 is complete."); Console.WriteLine("Pair Setup Step 6/6"); Console.WriteLine("Response Generation"); g = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info")); outputKey = g.GetBytes(32); // Create the AccessoryLTPK // byte[] accessoryLTSK; byte[] accessoryLTPK; var seed = new byte[32]; RandomNumberGenerator.Create().GetBytes(seed); Ed25519.KeyPairFromSeed(out accessoryLTPK, out accessoryLTSK, seed); File.WriteAllBytes("PrivateKey", accessoryLTSK); var serverUsername = Encoding.UTF8.GetBytes(Program.ID); byte[] material = outputKey.Concat(serverUsername).Concat(accessoryLTPK).ToArray(); byte[] signature = Ed25519.Sign(material, accessoryLTSK); Console.WriteLine("AccessoryDeviceInfo"); Console.WriteLine($"Username [{serverUsername.Length}]: {ByteArrayToString(serverUsername)}"); Console.WriteLine($"LTPK [{accessoryLTPK.Length}]: {ByteArrayToString(accessoryLTPK)}"); Console.WriteLine($"Proof [{signature.Length}]: {ByteArrayToString(signature)}"); TLV encoder = new TLV(); encoder.AddType(Constants.Identifier, serverUsername); encoder.AddType(Constants.PublicKey, accessoryLTPK); encoder.AddType(Constants.Signature, signature); // Verify our own signature // Ed25519.Verify(signature, material, accessoryLTPK); byte[] plaintext = TLVParser.Serialise(encoder); //chacha = new ChaChaEngine(20); //parameters = new ParametersWithIV(new KeyParameter(hkdfEncKey), Encoding.UTF8.GetBytes("PS-Msg06")); //chacha.Init(true, parameters); //macKey = InitRecordMAC(chacha); //byte[] ciphertext = new byte[plaintext.Length]; //chacha.ProcessBytes(plaintext, 0, plaintext.Length, ciphertext, 0); //var poly = new Poly1305(); //iOSPoly.Init(macKey); //iOSPoly.BlockUpdate //iOSPoly.BlockUpdate(ciphertext, 0, ciphertext.Length); //iOSPoly.BlockUpdate(BitConverter.GetBytes((long)ciphertext.Length), 0, 8); //var accessoryCalculatedMAC = new byte[iOSPoly.GetMacSize()]; //iOSPoly.DoFinal(accessoryCalculatedMAC, 0); //var accessoryCalculatedMAC = Sodium.OneTimeAuth.Sign(Encoding.UTF8.GetString(ciphertext), macKey.GetKey()); //var verifyMac = Sodium.OneTimeAuth.Verify(ciphertext, accessoryCalculatedMAC, macKey.GetKey()); //byte[] pt, ct, key, nonce, tag, aad; //key = Cnv.FromHex("071b113b 0ca743fe cccf3d05 1f737382"); //nonce = Cnv.FromHex("f0761e8d cd3d0001 76d457ed"); //aad = Cnv.FromHex("e20106d7 cd0df076 1e8dcd3d 88e54c2a 76d457ed"); //pt = Cnv.FromHex("08000f10 11121314 15161718 191a1b1c 1d1e1f20 21222324 25262728 292a2b2c 2d2e2f30 31323334 0004"); //tag = new byte[0]; // Do this to avoid "before it has been assigned a value" error //ct = Aead.Encrypt(out tag, pt, key, nonce, aad, Aead.Algorithm.Aes_128_Gcm); //Console.WriteLine("C: " + Cnv.ToHex(ct)); //Console.WriteLine("T: " + Cnv.ToHex(tag)); //byte[] ret = ciphertext.Concat(accessoryCalculatedMAC).ToArray(); //TLV responseTLV = new TLV(); //responseTLV.AddType(Constants.State, 6); //responseTLV.AddType(Constants.EncryptedData, ret); //output = TLVParser.Serialise(responseTLV); //ByteArrayContent content = new ByteArrayContent(output); //content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8"); //Console.WriteLine("Step 6/6 is complete."); //return new HttpResponseMessage(System.Net.HttpStatusCode.OK) //{ // Content = content //}; nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PS-Msg06")).ToArray(); aad = new byte[0]; byte[] outputTag = new byte[0]; var encryptedOutput = Aead.Encrypt(out outputTag, plaintext, hkdfEncKey, nonce, aad, Aead.Algorithm.Chacha20_Poly1305); Console.WriteLine($"EncryptionStatus: {General.ErrorCode()}"); // Test the decryption // Aead.Decrypt(encryptedOutput, hkdfEncKey, nonce, aad, outputTag, Aead.Algorithm.Chacha20_Poly1305); Console.WriteLine($"DecryptionStatus: {General.ErrorCode()}"); byte[] ret = encryptedOutput.Concat(outputTag).ToArray(); TLV responseTLV = new TLV(); responseTLV.AddType(Constants.State, 6); responseTLV.AddType(Constants.EncryptedData, ret); output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); //ByteArrayContent content = new ByteArrayContent(output); //content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8"); //Console.WriteLine("Step 6/6 is complete."); //return new HttpResponseMessage(System.Net.HttpStatusCode.OK) //{ // Content = content //}; } return(null); //return new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest); }
public Tuple <string, byte[]> Post(byte[] body, ControllerSession session) { var parts = TLVParser.Parse(body); var state = parts.GetTypeAsInt(Constants.State); if (state == 1) { Console.WriteLine("* Pair Verify Step 1/4"); Console.WriteLine("* Verify Start Request"); var clientPublicKey = parts.GetType(Constants.PublicKey); byte[] privateKey = new byte[32]; SecureRandom random = new SecureRandom(); random.NextBytes(privateKey); var publicKey = Curve25519.GetPublicKey(privateKey); var sharedSecret = Curve25519.GetSharedSecret(privateKey, clientPublicKey); var serverUsername = Encoding.UTF8.GetBytes(Program.ID); byte[] material = publicKey.Concat(serverUsername).Concat(clientPublicKey).ToArray(); var accessoryLTSK = File.ReadAllBytes("PrivateKey"); byte[] proof = Ed25519.Sign(material, accessoryLTSK); HKDF g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Salt"), Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Info")); var outputKey = g.GetBytes(32); TLV encoder = new TLV(); encoder.AddType(Constants.Identifier, serverUsername); encoder.AddType(Constants.Signature, proof); byte[] plaintext = TLVParser.Serialise(encoder); var nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PV-Msg02")).ToArray(); var aad = new byte[0]; byte[] outputTag = new byte[0]; var encryptedOutput = Aead.Encrypt(out outputTag, plaintext, outputKey, nonce, aad, Aead.Algorithm.Chacha20_Poly1305); byte[] ret = encryptedOutput.Concat(outputTag).ToArray(); TLV responseTLV = new TLV(); responseTLV.AddType(Constants.State, 2); responseTLV.AddType(Constants.PublicKey, publicKey); responseTLV.AddType(Constants.EncryptedData, ret); // Store the details on the session. // session.ClientPublicKey = clientPublicKey; session.PrivateKey = privateKey; session.PublicKey = publicKey; session.SharedSecret = sharedSecret; session.HkdfPairEncKey = outputKey; var encSalt = Encoding.UTF8.GetBytes("Control-Salt"); var infoRead = Encoding.UTF8.GetBytes("Control-Read-Encryption-Key"); var infoWrite = Encoding.UTF8.GetBytes("Control-Write-Encryption-Key"); g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, encSalt, infoRead); session.AccessoryToControllerKey = g.GetBytes(32); g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, encSalt, infoWrite); session.ControllerToAccessoryKey = g.GetBytes(32); var output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); } else if (state == 3) { Console.WriteLine("* Pair Verify Step 3/4"); Console.WriteLine("* Verify Start Request"); // We're looking good here. Need to set the encryption/settings on this session. // session.IsVerified = true; session.SkipFirstEncryption = true; TLV responseTLV = new TLV(); responseTLV.AddType(Constants.State, 4); var output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); } return(null); }
public Tuple <string, byte[]> Post(byte[] body, ControllerSession session) { var parts = TLVParser.Parse(body); var state = parts.GetTypeAsInt(Constants.State); var method = parts.GetTypeAsInt(Constants.Method); Console.WriteLine("***********************"); Console.WriteLine("* Pairings Controller *"); Console.WriteLine($"* State: {state} *"); Console.WriteLine($"* Method: {state} *"); Console.WriteLine("***********************"); TLV responseTLV = new TLV(); if (state == 1) { if (method == 3) // Add Pairing { Console.WriteLine("* Add Pairing"); var identifier = parts.GetType(Constants.Identifier); var publickey = parts.GetType(Constants.PublicKey); var permissions = parts.GetType(Constants.Permissions); LiteDB.LiteDatabase database = new LiteDB.LiteDatabase("Filename=Hap.db"); var pairingsCollection = database.GetCollection("pairings"); var existingPairing = pairingsCollection.FindById(Encoding.UTF8.GetString(identifier)); if (existingPairing == null) { var pairing = new LiteDB.BsonDocument(); var doc = new LiteDB.BsonDocument(); doc.Add("publickey", new LiteDB.BsonValue(publickey)); doc.Add("permissions", new LiteDB.BsonValue(permissions)); pairing.Add(Encoding.UTF8.GetString(identifier), doc); pairingsCollection.Insert(pairing); } else { // TODO DO something here. } responseTLV.AddType(Constants.State, 2); byte[] output1 = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output1)); } else if (method == 4) // Remove Pairing { Console.WriteLine("* Remove Pairing"); responseTLV = new TLV(); responseTLV.AddType(Constants.State, 2); byte[] output2 = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output2)); } if (method == 5) // List Pairing { Console.WriteLine("* List Pairings"); responseTLV = new TLV(); responseTLV.AddType(Constants.State, 2); byte[] output3 = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output3)); } } responseTLV.AddType(Constants.State, 2); responseTLV.AddType(Constants.Error, ErrorCodes.Busy); byte[] output = TLVParser.Serialise(responseTLV); return(new Tuple <string, byte[]>("application/pairing+tlv8", output)); }